Where's the Steve Jobs of IT security?
- — 19 October, 2011 07:11
The world of information security needs a Steve Jobs.
Despite our best efforts, IT security hasn't had anything like the string of successes that Steve Jobs saw during his amazing career. None of the successes that we've had have been quite so profound as, say, the iPod or iPhone. Can we apply some of the thinking that resulted in those iconic devices to our IT security world?
It would be pretty difficult to find another business leader who could match Jobs' track record. We're talking about the man who not only co-founded Apple but later returned when the company was on the ropes and engineered not just a recovery but unparalleled successes. Through the years, he was invigorating and downright jaw-dropping to watch.
How does that relate to the world of IT security? Well, let's dig a bit deeper into Jobs' biggest successes a bit.
Just to name a few, he led the introductions of the iPod, the iPhone, the iPad and the MacBook Air. Not one of these was entirely new in its class. There were already MP3 players available; there were smartphones; there were tablet PCs; there were ultralight laptops.
But, under Jobs, Apple made consumers want these products like no other. For example, a huge chunk of the market has declared that it doesn't want tablet PCs -- it wants iPads. And somehow, other MP3 players just aren't iPods.
So, just what is the special sauce that makes these iThingies more desirable to huge masses than their counterparts? Was it Steve's amazing keynote speeches? Was it the "Think Different" billboards and ads? Was it Steve's fashion sense?
All of these things may have contributed to the allure, but there's more. One thing that I feel has been a key differentiator of Apple products is their user interfaces. Apple's reputation is that its products just work, right? You may not buy into that notion, but a lot of people do.
And my own experience has been that I've had far fewer IT-related woes after switching my company infrastructure to all-Apple than I ever had with Windows or Linux systems. For the most part, it's been easy-peasy. I'm not saying that Apple products are perfect, but by being uncompromising on user interfaces, they have truly made my life easier.
So, after hearing the sad news about Steve's death, I wondered what sorts of lessons we can learn from his legacy in the IT security world. Here are a few to ponder:
Make it intuitive.
Remember user manuals? Sure, they still have their place, but user interfaces aren't one of those. A user interface should speak for itself. In helping my family and a few friends figure out iOS interfaces on iPhones and iPads, my general guidance has been, "Try what you think is intuitive, and it will most likely do what you expect." That advice has worked more often than not. That's how our security systems should be as well. Figuring out how to configure a security device shouldn't require a week of product training! Even when your product features seem to justify the learning curve, it just shouldn't be that tough to get started.
Make it simple.
I'm talking about the devices themselves, not their interfaces. The first time I saw an iPod, I thought it was too simple -- a dial and no buttons -- to be useful. Boy, was I wrong! Simplicity should be its own reward. We have a long way to go on this one.
Ignore the status quo.
Forget what's been done before. To Apple, "think different" has been far more than just advertising and hype; it's been a way of life. We in IT security need to do better to encourage and reward innovation. The world doesn't need another static signature-based virus or intrusion detection tool, folks. Optimizing how fast we can distribute signatures among our antivirus, anti-malware and IDS products isn't innovation; it is bailing the water out of our sinking boat faster. We need better.
Make it exciting.
This is probably the toughest one for us engineers to take on, but one of the intangible things that have worked to Apple's benefit is the excitement factor. Having a charismatic leader certainly helped. But don't ever underestimate the value of the excitement factor.
How do you make security products exciting? That's a tough one, but I'd start with security features, functionality or products that are compelling by themselves, that get people clamoring for them. Is that even possible? Yes, actually it is. When I first installed Apple Airport Extreme to replace a near-dead, non-Apple predecessor, one of the installation options was to duplicate the settings of the device being replaced, including all the security settings. It was compellingly easy, and made for a very easy installation. That is the sort of thinking that we need more of in the security disciplines.
This list is far from complete. I'm sure many business schools will be studying Apple's story for years to come.
My main point, though, is that we in IT security could do a lot worse than emulating Apple and Steve Jobs a bit more than we currently do. We've somehow got to find ways to get people to want security in their systems just as they want functionality. We've got to give them iPods, not insomnia-curing MP3 players.
With more than 20 years in the information security field, Kenneth van Wyk has worked at Carnegie Mellon University's CERT/CC, the U.S. Deptartment of Defense, Para-Protect and others. He has published two books on information security and is working on a third. He is the president and principal consultant at KRvW Associates LLC in Alexandria, Va.